sshd: backport upstream fix for SSHD-1231

SSHD-1231[1] may lead to exceptions when trying to authenticate first with an RSA key that is rejected by the server. The upstream fix is a one-liner but unfortunately didn't make it into Apache MINA sshd 2.8.0. Incorporate the upstream fix in JGitPublicKeyAuthentication, and add a test case for this. [1] https://issues.apache.org/jira/browse/SSHD-1231 Bug: 577545 Change-Id: Ia744cd4aa569bccd937c855f3bb45c0116915bad Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
2022-01-06 19:33:44 +01:00 · 2022-01-06 19:33:44 +01:00 · 4c555f0742
parent 709087c582
commit 4c555f0742
2 changed files with 40 additions and 0 deletions
--- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
+++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java
@ -107,6 +107,32 @@ public void testEd25519HostKey() throws Exception {
 				"IdentityFile " + privateKey1.getAbsolutePath());
 	}

+	/**
+	 * Test for SSHD-1231. If authentication is attempted first with an RSA key,
+	 * which is rejected, and then with some other key type (here ed25519),
+	 * authentication fails in bug SSHD-1231.
+	 *
+	 * @throws Exception
+	 *             on errors
+	 * @see <a href=
+	 *      "https://issues.apache.org/jira/browse/SSHD-1231">SSHD-1231</a>
+	 */
+	@Test
+	public void testWrongKeyFirst() throws Exception {
+		File userKey = new File(getTemporaryDirectory(), "userkey");
+		copyTestResource("id_ed25519", userKey);
+		File publicKey = new File(getTemporaryDirectory(), "userkey.pub");
+		copyTestResource("id_ed25519.pub", publicKey);
+		server.setTestUserPublicKey(publicKey.toPath());
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"IdentityFile " + privateKey1.getAbsolutePath(), // RSA
+				"IdentityFile " + userKey.getAbsolutePath());
+	}
+
 	@Test
 	public void testHashedKnownHosts() throws Exception {
 		assertTrue("Failed to delete known_hosts", knownHosts.delete());
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
@ -108,4 +108,18 @@ public PublicKeyIdentity next() {
 			};
 		}
 	}
+
+	@Override
+	protected PublicKeyIdentity resolveAttemptedPublicKeyIdentity(
+			ClientSession session, String service) throws Exception {
+		PublicKeyIdentity result = super.resolveAttemptedPublicKeyIdentity(
+				session, service);
+		// This fixes SSHD-1231. Can be removed once we're using Apache MINA
+		// sshd > 2.8.0.
+		//
+		// See https://issues.apache.org/jira/browse/SSHD-1231
+		currentAlgorithms.clear();
+		return result;
+	}
+
 }